Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful ...

Avatar for no1zy no1zy
March 11, 2019
5
1.7k

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function

Burp Suite Japan LT Carnivalでの発表資料

Avatar for no1zy

no1zy

March 11, 2019
Tweet

More Decks by no1zy

See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
Avatar for no1zy no1zy
14
4.8k

Featured

See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
9
780
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
695
190k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
161
15k
Designing for humans not robots
Avatar for Tammie Lister tammielis
253
25k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.8k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
30
9.6k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
37
2.8k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
55
6.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
110
20k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
83
9.1k

Transcript

  1. Burp SuiteͷศརͳػೳͰ όάό΢ϯςΟ No1zy

  2. ࣗݾ঺հ • twitter: @no1zy_sec • ৘ใܥઐ໳ֶੜ • ৽ถόάϋϯλʔ • ڈ೥ͷ֫ಘใ঑ۚ૯ֹ

    612ສԁ

  3. όάϋϯλʔ͸Burp Suite͕େ޷͖ The 2019 Hacker Report

  4. Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ

  5. ঺հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze

    target શͯPro൛ͷΈͰར༻Ͱ͖Δ

  6. 1. Burp Collaborator client

  7. Burp Collaborator client • ֎෦ͷ଴ͪड͚αʔόʔͱͯ͠ͷ໾ׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •

    DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ

  8. ࢖͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ

  9. ࢖͍ํ 2. Copy to clipboardΛΫϦοΫ

  10. ࢖͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ઀ଓςετ

  11. ࢖͍ํ • ϦΫΤετΛ֬ೝ͢Δ

  12. SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ

  13. SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢Δػೳ͸ɺSSRF͕Մೳͳ৔߹͕͋Δ

  14. http://127.0.0.1:22 SSRF Payload

  15. SSRFͷςετྫ Ϩεϙϯε

  16. http://127.0.0.1:4444 SSRF Payload

  17. SSRFͷςετྫ Ϩεϙϯε

  18. ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ

  19. None

  20. 2. Find Script

  21. Find Script • JavaScriptϑΝΠϧΛऩू͢Δ໨తͰ࢖༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີ৘ใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹ໾ཱͯΔ͜ͱ͕Ͱ͖Δ

  22. ࢖͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s

  23. ࢖͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ

  24. ࢖͍ํ • Export scriptsͰϑΝΠϧʹநग़΋Ͱ͖Δ

  25. APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ

  26. JSParser

  27. 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ

  28. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only

    ʹνΣοΫ͠ js ͱೖྗ

  29. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 3. ΞΠςϜΛશબ୒͢Δ

  30. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 4. Copy URLsΛΫϦοΫ

  31. 2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ෇͚ 2. JSParseΛΫϦοΫ

  32. ৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬཰Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ

  33. 3. Analyze target

  34. Analyze target • Ͳͷύϥϝʔλ͕Կճ࢖༻͞Ε͍ͯΔ͔೺Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։΍ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ৔߹͕͋Δ

  35. ࢖͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ

  36. ࢖͍ํ ղੳ݁ՌΛ֬ೝ͢Δ

  37. Happy Hunting!